It is possible to download and install rules manually, but there is a
much easier and quicker way to do so. There are special programs which
you can use for downloading and installing rules. There is for example
Pulled Pork and
Oinkmaster. In this documentation
the use of Oinkmaster will be described.

To install Oinkmaster, enter:

sudoapt-getinstalloinkmaster

There are several rulesets. There is for example Emerging Threats (ET)
Emerging Threats Pro and VRT. In this example we are using Emerging
Threats.

Oinkmaster has to know where the rules an be found. These rules can be found at:

Place a # in front of the url that is already there and add the new url like this:

(Close oinkmaster.conf by pressing ctrl x, followed by y and enter. )

The next step is to create a directory for the new rules. Enter:

sudomkdir/etc/suricata/rules

Next enter:

cd/etcsudooinkmaster-C/etc/oinkmaster.conf-o/etc/suricata/rules

In the new rules directory a classification.config and a
reference.config can be found. The directories of both have to be
added in the suricata.yaml file. Do so by entering:

sudonano/etc/suricata/suricata.yaml

And add the new file locations instead of the file locations already
present, like this:

To see if everything works as pleased, run Suricata:

suricata-c/etc/suricata/suricata.yaml-iwlan0(oreth0)

You will notice there are several rule-files Suricata tries to load,
but are not available. It is possible to disable those rule-sets in
suricata.yaml by deleting them or by putting a # in front of them. To
stop Suricata from running, press ctrl c.

Emerging Threats contains more rules than loaded in Suricata. To see
which rules are available in your rules directory, enter:

ls/etc/suricata/rules/*.rules

Find those that are not yet present in suricata.yaml and add them in
yaml if desired.

You can do so by entering :

sudonano/etc/suricata/suricata.yaml

If you disable a rule in your rule file by putting a # in front of it,
it will be enabled again the next time you run Oinkmaster. You can
disable it through Oinkmaster instead, by entering the following:

cd/etc/suricata/rules

and find the sid of the rule(s) you want to disable.

Subsequently enter:

sudonano/etc/oinkmaster.conf

and go all the way to the end of the file.
Type there:

disablesid2010495

Instead of 2010495, type the sid of the rule you would like to
disable. It is also possible to disable multiple rules, by entering
their sids separated by a comma.

If you run Oinkmaster again, you can see the amount of rules you have
disabled. You can also enable rules that are disabled by default. Do
so by entering:

ls/etc/suricata/rules

In this directory you can see several rule-sets
Enter for example:

sudonano/etc/suricata/rules/emerging-malware.rules

In this file you can see which rules are enabled en which are not.
You can not enable them for the long-term just by simply removing
the #. Because each time you will run Oinkmaster, the rule will be
disabled again. Instead, look up the sid of the rule you want to
enable. Place the sid in the correct place of oinkmaster.config:

sudonano/etc/oinkmaster.conf

do so by typing:

enablesid:2010495

Instead of 2010495, type the sid of the rule you would like to to
enable. It is also possible to enable multiple rules, by entering
their sids separated by a comma.

In oinkmaster.conf you can modify rules. For example, if you use
Suricata as inline/IPS and you want to modify a rule that sends an
alert when it matches and you would like the rule to drop the packet
instead, you can do so by entering the following:

sudonanooinkmaster.conf

At the part where you can modify rules, type:

modifysid 2010495 “alert” | “drop”

The sid 2010495 is an example. Type the sid of the rule you desire to
change, instead.